| 1 |
On Friday 24 March 2006 05:38 am, Paul Kölle wrote: |
| 2 |
> 王 鹏辉 wrote: |
| 3 |
> > Hello, list, |
| 4 |
> > |
| 5 |
> > Recently, i found that my emails server has sent out mess spam emails by |
| 6 |
> > some strange account from xxx@×××××.com. I run chkrootkit then found that |
| 7 |
> > |
| 8 |
> > bindshell INFECTED (PORTS: 465) |
| 9 |
> |
| 10 |
> Me too. AFAIK it's a false positive. This is stated in a chkrootkit FAQ |
| 11 |
> whose URL slipped out of my memory but I found it by google. |
| 12 |
|
| 13 |
I can verify this as it has been a false positive for me in the past. I would |
| 14 |
highly recommend, before passing it off as a false positive, check to see |
| 15 |
what is listening on this port. I've heard that Exim uses this, and |
| 16 |
PortSentry does as well. "netstat -nap --ip" should show it. Also, you may |
| 17 |
use "lsof | grep TCP". |
| 18 |
|
| 19 |
If you find a suspect file, script, or program, (or if you suspect your |
| 20 |
'netstat' and 'lsof' binaries contain rootkits) try running: |
| 21 |
equery belongs <path to file> |
| 22 |
This should tell you to which package it belongs. Then to verify that it is |
| 23 |
the same file that was installed, you can try: |
| 24 |
equery check <package that was listed above> |
| 25 |
|
| 26 |
Since you are having spam issues, I would recommend looking into seeing if |
| 27 |
your mail server is an open relay. Here are a few ways to test this: |
| 28 |
http://www.spamhelp.org/shopenrelay/ |
| 29 |
http://www.abuse.net/relay.html |
| 30 |
|
| 31 |
This one has a list of links pertaining to ways you can test for open relay: |
| 32 |
http://www.linux-sec.net/Mail/OpenRelay/ |
| 33 |
|
| 34 |
|
| 35 |
Hope this helps! |
| 36 |
|
| 37 |
|
| 38 |
Robert Larson |
| 39 |
|
| 40 |
-- |
| 41 |
gentoo-server@g.o mailing list |
Archives